I'm seeing this error as well on the fiancee's blog at http://www.believemagic.com/journal. I get the error in IE6 SP2 under Windows XP SP2 on two different PCs (one is an actual PC, the other is a Virtual PC under MacOS X). The fiancee also gets the error from work under Win2k in IE5.5 (she thinks that's the IE version, anyway). And one of her users mentioned it to her, which is how we found out in the first place (unknown OS and browser).

Safari 1.2.4, FireFox 1.0, and IE 5.2 on the Mac exhibit no problems. Similarly, FireFox 1.1 on the PC has no problems. But every time I try to click on any comment link in IE6 in XP, I get the "error: file cannot be used on its own" message. This includes posts that already have a comment or two posted, FWIW.

Is there a recent update to IE for the PC that would cause pop-up comments to go AFU? A security setting, perhaps?

I'll have access to a few more machines at the university tomorrow - I'll see if I get the error from there as well.

I only get the error when I try to post comments to other friends WP blogs that are a newer version. I have an older version of WP and have no problems commenting and no one has ever told me that they get that error. I have tried numerous friends blogs in numerous browsers and get that blasted error message and it is driving me insane quite frankly.

In Opera you can easily enable/disable sending that header. With the referer header enabled, I get no error message. With the header disabled, I get the error every time. Tested in Opera v8.0 on the Mac and v7.54 on Windows.

I'd love it if others could reproduce that result, just to make sure it's nothing wacky on my end.

I'm only seeing the issue when popup comments are enabled. With popup comments commented out, there's no problem. That's been the temporary fix for the fiancee's blog (disable popup comments) since I can't very well tell her users they must use Opera.

So what would happen if I just commented out these lines in wp-comments-popup.php:

if (!$_SERVER['HTTP_REFERER'] == dirname(__FILE__) . '/wp-comments.php')
{
die ('Error: This file cannot be used on its own.');
}

As I said before, I know precisely jack about PHP. What's the purpose for these lines? Is using the referer header merely an anti-spam device, or does it serve a larger purpose? Is the error message really caused by the referer header being not present (or malformed somehow) or does it just look that way?

The same lines appear in wp-comments-post.php... would I have to remove them from there as well?

More to the point, will I be crushed by a huge foot (Monty Python animation-style) if I just sorta remove those lines and see what happens?

One of my important visitors had this same problem with the "Error: This file cannot be used on its own." We spent days trying to get around it and nothing seemed to work.

Finally, we attempted to post after SHUTTING DOWN NORTON ANTI-VIRUS. It worked like a charm. Now, this is not, in any way, a permanent fix, but it does give us the next step to investigate. Is there something is anti-virus software that causes referer headers to be sent or not? I'd like to find out so I can ensure ease of use for my site. Every visitor is precious, you know. Feel free to stop by and take a looksie yourself.

I think that particular bit of code is there to prevent spam bots from leaving comments, since they won't show the necessary referrer information. So if the tradeoff is that some nonstandard browser configurations (my Firefox works fine) can't leave comments, I wouldn't mess with it.

It's part of Norton's privacy features to disable your browser to send certain information from your machine.

If the site U leave from or go to rely on this information and has bad coding (to avoid the error if not found) U get the actual error.

So, the problem lies within the code of the page that faults (partly), Norton default privacy settings or U have manually disabled your browser to send the information needed by the blog to complete its tasks.

It sounds to me like there are several ways this problem can come about, and that the fixes are just as varied. To clarify for people who might be confused, I'll attempt a quick breakdown. Please correct me if I've got something wrong.

If you or someone you know is getting this error, it's probably not a browser problem, but a problem with another program running on the person's computer.

Most Norton programs on PCs show up as little icons in the lower-right of your screen (this varies with personal settings). Floating your pointer over the little icons should tell you which ones are Norton programs.

One solution is to disable the program while you're at WordPress sites. Right-clicking on the icons will usually produce a menu with "disable" as one of the options.

What's going on is a conflict between some programs and WordPress's built-in anti-spam features. Spam-bots are computer programs familiar with the WordPress file structure, so they can quickly generate what is likely a comment page URL and send comment-spam. WordPress is set to disallow these comments, requiring that a user actually click on a WordPress link that leads to the comment entry page. You don't really have to know this, but I think it's good to understand it at least a little.

I helped a friend who had this problem; it wasn't the antivirus software that was giving the problem, and it wasn't pop-up blockers, though others have said turning off these things has helped. I left those things on and merely disabled the Norton Firewall program, and everything was dandy. I say this because it sounds like there are many ways to run into this error and many ways to fix it; if none of the given suggestions is helping you, play around with those programs your computer is running while you're on the Web.

Hope this helps someone. The posts above helped me, in that they sent me in the direction toward my fix, despite none of them offering the specific solution that was needed in my case.

It IS a consequence of your firewall parameters.
And it IS related to your browser (depending on Firewalls capabilities.
I tried this with Zonealarm Pro and it works:
OPen ZA control,
Go to "Program Control" and "Programs" tab
*For each browser you are using (example below with IExplorer)
-Search & select Internet Explorer
-Right click, select "Options"
-UNcheck (de-select) "Enable privacy for this program" in the "Filter options" of the "Security" tab.
That's it.

The difficulty with the firewall solutions - at least when I tested on my end - is that my Windows XP box has absolutely no software firewall installed, no privacy software, nothing of that sort at all (not even the Windows firewall). The only thing that comes close is NAV Corporate. But the problem occured only in IE, not in FireFox, on the same machine - and I certainly didn't customize non-existent firewall software on the machine to allow one browser but not the other to send referer request headers.

Also, as usual, my Macs didn't exhibit the problem, unless I turned off the referer request header in Opera. So there's something in IE that's blocking sending that bit o' information, but I'll be damned if I know what it is.

1. WordPress has a security feature to make sure that comments are posted from the current site. It does this by checking the HTTP Referer header. Typically, browsers set this header to indicate the page that a user is coming from (i.e. they click a link from www.a.com/foo to www.b.com/bar, so the www.b.com server sees a request for the bar page, and it sees a referer of www.a.com/foo)

2. Some privacy tools prevent the HTTP referer header from being sent (some firefox extensions, Opera, and some personal firewalls/antivirus products have this option, or leave it enabled all the time).

Thus there are two solutions.
1. The blog host can disable the referer check in WordPress by opening up the PHP code and commenting out the if statement that has been mentioned above in this thread.

2. The person trying to post can disable whatever is stopping the referer header from being sent (whether it is a firewall, antivirus, or a browser feature/extension).

I am having the same issue, but with another function. IE is not properly passing or using the $_SERVER['HTTP_REFERER']. FF does it fine, so it is not something related to antivirus or firewall or anything like that, just specific to IE6. Anyone know a different variable that IE will recognise or the specific thing within IE that either enables or disables that?

May I clarify something? This problem arose with my blog today, for the first time after several years of using WordPress.

My host (Moose Internet Services) went belly up last week and I have had to move hosting to Dreamhost. My newly-installed WordPress is 2.0.4, I was running 2.0.3 previously, with no problems at The Moose.

Dreamhost say this, in their wiki:

"Finally, we have put a tiny little hack of our own in the wp-comments-post.php and wp-comments-popup.php files to try and prevent automated comment spam a bit. If you end up never getting any comment spam, it may be that that little hack was enough!"

Now... I looked at my WP code, and I found the section indicated in this thread. I had a wp-comments-post file with the code at the head (before the requires statement) and a popup file, which had only this piece of code in it.

Alarm bells rang.

We looked at the WordPress official download for 2.0.4 and this code does not appear

What I want to know is - was this code at some time in the official WP release? or was it NEVER there and are all the people who have reported the problem in fact hosted at Dreamhost?

I've commented the code out for now but I need to work out what to do if this is a Dreamhost hack (the code was uncommented!!) and they are likely to reintroduce it with any automatic upgrade processes.

I had the same issue and I use Choopa.com so it can't just be dreamhost...

I am really hoping for a solution that works on this one. I will try to comment out the code above. But the answer just can't stop at - Norton people will have to do A,B and C. WordPress should work around the Norton issue for their next build. At least, that is my hope.

:)
v

On a side note, I don't have that line of code in my comments or comments popup php pages?? How can that be?

It is pretty clear (to me at least) that this problem affects some users, based on their firewall and security software. It is definitely caused by the Dreamhost hack of the WordPress files. Commenting the hack out cures the problem.

I think the fact that WordPress installations on other hosts also exhibit the same problem might be down to them deploying a similar tactic. Of course, there can be no level of certainty about this.

Whatever - if you comment out the code in your comments and comments pop up files, the problem does go away. It comes back when using the Dreamhost 1-click upgrade though ;-)

To be clear - it is only these lines that need removing or commenting out:

if (!$_SERVER['HTTP_REFERER'] == dirname(__FILE__) . '/wp-comments.php')
{
die ('Error: This file cannot be used on its own.');
}

(my comments pop up file consisted of only this code, and nothing else)

The files in question are in the root of the installation, not in any of the theme directories.

The usual caveats apply - but it worked for me and for those of my readers who were affected. Hope this helps.

This worked for me, thanks. I just ugraded to the latest wordpress and then this error started happening. Edited out those lines and bingo, problem solved. Even remembered to backup the file I was changing in case I broke it :)